Probably one of the easiest methods that we could find to quickly test your website is through Websecurify. This is the online tool which comes as a Firefox or chrome extension or a mobile application. Desktop edition is also possible. Saying online we meant that the database and the engine sit in the cloud, and only the frontend is delivered as an extension.

The page lists all quite many vulnerabilities that the scanner is able to detect. The scanner comes as a free and paid version and a couple of different editions. The most prominent edition (called Suite) costs a bit less than $50 per month and has one month free trial (at the time of this writing).

Here we will quickly introduce how to scan a website with Websecurify. Just follow these steps.

Everything is greyed out in free version except the Foundation button – this is the free version of the scanner.

2. Click Foundation.

3. Enter a website’s URL and press Enter. You have started website inspection.

Small line indicates about the scanning progress.

4. After scan finishes you will be presented the results.

That's indeed easy and simple. The biggest disadvantage is that you will not be able to do much customization in your scans. The scanning engine itself also seems to lack some capabilities.

Anyway, this tool provides gives us a nice opportunity to scan a website and get at least a gentle touch of website security. This tool shows some potential and it will be interesting to see how it evolves in the future.

Website security is a complex beast. To do a comprehensive vulnerability assessment you need to have right software, experience, patience and sometimes luck.

Whenever you approach a new website or just want to test your own website, the first thing is basically to scan it using your favorite security tool(s). Of course, if you’re not familiar with the website the first thing must be simply to browse it, to get the look and feel, to analyze its structure and to gather as much data as possible.

Full featured and actively used framework which could be used both for audit and exploitation. It is extremely popular, powerful, flexible and easy to use framework for finding and exploiting web application vulnerabilities. It has dozens of web assessment and exploitation plugins. In some ways it is like a web-focused Metasploit.

The only drawback (a really big drawback) that w3af is very unstable. As far as we know, authors are working heavily on this.

If you try to simply point and shoot, it probably won’t be a success. Stability and performance issues will force you to carefully adjust the options, select only needed audit plugins and only then point the tool to the website.

Burp Suite is an integrated platform for attacking web applications. It contains many tools all of them sharing the same framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging, alerting and extensibility.

Paid version is not very expensive and is well worth the money. It’s an indispensable tool for performing web application assessments. You can read web traffic and then manipulate it as much as you desire. There is also a limited free version.

In general, BurpSuite is a Swiss Army knife in a web audit field. If you are going to perform web audits or pentests, this tool should be number one in your arsenal.

Easy to use tool that shows great potential. Probably the easiest tool to play with if you want to point-and-shoot type of test. Manual vulnerability testing is also possible. Comes as a desktop edition, firefox, chrome extension or a mobile application.

However the simplicity of this tool means that you will not be able to do much customization in your scans. The scanning engine itself also seems to lack some capabilities. It will be interesting to see how this tool evolves in the future.

Skipfish is an active web application security reconnaissance tool. It’s an excellent tool for automated initial quick assessment of the website. Written in C it is incredibly fast and can generate/analyze thousands of requests per second.

Skipfish prepares an interactive sitemap of the targeted website by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. After that the report is prepared which is meant to serve as a foundation for professional web application security assessment.

A tool written in python that scans the webpages of the webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

Nikto is a Perl script which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. From this perspective Nikto is kind of “signature based” tools. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated.

Nikto won’t find all the bugs in your web app, but it will warn you about poorly configured web servers and will reveal other interesting things to poke at.

--

There are much more tools in the market. Some of them are extremely expensive and not suited for beginners or people who just want to get the idea of their website security.

Don’t rely fully on the automated tools. Test everything yourself. Go deep. Eliminate false positives. We advise you to look at point-and-shoot testing method as a basis for further examination.